Suspicious Process Masquerading As SvcHost.EXE
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
Sigma rule (View on GitHub)
1title: Suspicious Process Masquerading As SvcHost.EXE
2id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
3related:
4 - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
5 type: similar
6 - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
7 type: similar
8status: test
9description: |
10 Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
11 Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
12references:
13 - https://tria.ge/240731-jh4crsycnb/behavioral2
14 - https://redcanary.com/blog/threat-detection/process-masquerading/
15author: Swachchhanda Shrawan Poudel
16date: 2024-08-07
17tags:
18 - attack.defense-evasion
19 - attack.t1036.005
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 Image|endswith: '\svchost.exe'
26 filter_main_img_location:
27 Image:
28 - 'C:\Windows\System32\svchost.exe'
29 - 'C:\Windows\SysWOW64\svchost.exe'
30 filter_main_ofn:
31 OriginalFileName: 'svchost.exe'
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Unlikely
35level: high
References
Related rules
- Creation Of Pod In System Namespace
- Potential Binary Impersonating Sysinternals Tools
- Windows Processes Suspicious Parent Directory
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Exploit for CVE-2015-1641